The lastest rollout is for QR codes to display at the point of sale. To obtain one, you create an account detailing the operator name, name of establishment, phone number and email address, you are then issued a QR code.
Being concerned about data security I am attempting to discover why the QR code I must display for persons using my cafe to "log in" with is 343 bytes long.
The QR code reads as follows:
UKC19TRACING:1:eyJhbGciOiJFUzI1NiIsImtpZCI6IllycWVMVHE4ei1vZkg1bnpsYVNHbllSZkI5YnU5eVBsV1lVXzJiNnFYT1EifQ.eyJpZCI6IlY1VldYMzlSIiwib3BuIjoiUGlwbGV5IEJhcm4gQ2Fmw6kiLCJhZHIiOiJQaXBsZXkgQmFyblxuQnJvY2toYW0gRW5kXG5MYW5zZG93biIsInBjIjoiQkExOUJaIiwidnQiOiIwMDgifQ.xG3rlgLIpQjHuZa7kQ4I4TC2u3xhmHpyhLjqGTS1aaFzueUt8TqqsW4-1eKL-RSOP9o0av9XPivtK-BfPuUV-g
There are a number of repeating sequences in the code such as
eyJ
and
pZCI6Il
which (I think) rules out the possibility that this is proper encryption.
My concern is that I am publicly displaying a lot of information, whereas it seems to me that a simply signature (like UKC19TRACING) plus a key into a database would be sufficient for any rational way of implementing contact tracing.
So I have fired off a Freedom of Information request to the relevant government department (the UK Department of Health and Social care), but in the meantime, I thought that greater experts than I might like to have a go at decrypting this.